The Changelog: Software Development, Open Source Who in the world is Jia Tan? (News)
Apr 1, 2024
A recently discovered backdoor in the liblzma compression library has sparked major concern, especially as it affects OpenSSH. The discussion dives into how this supply chain attack occurred and the methods used to implant the exploit. The mystery surrounding Jia Tan, the suspected attacker, is explored alongside the investigative efforts to reveal his identity. Also tackled are the emotional and practical challenges that open-source maintainers face, highlighting the complex dynamics between these developers and the companies relying on their work.
AI Snips
Chapters
Transcript
Episode notes
The Discovery
- Microsoft researcher Andres Frund found a backdoor in libLZMA after noticing odd symptoms.
- SSH logins were consuming high CPU, prompting investigation due to his micro-benchmarking needs.
The Code
- The exploit within libLZMA is sophisticated and represents a nightmare scenario.
- A competent, malicious actor with authorized access deployed it, highlighting a significant security risk.
The Maintainer
- Lassie Collin, the XZ maintainer, confirmed the backdoor in XZ 5.6 and 5.6 releases.
- The releases were created and signed by an unknown individual named Gia Tan.